community.hrobot.firewall – Manage Hetzner’s dedicated server firewall
Note
This plugin is part of the community.hrobot collection (version 1.2.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.hrobot
.
To use it in a playbook, specify: community.hrobot.firewall
.
Synopsis
Manage Hetzner’s dedicated server firewall.
Note that idempotency check for TCP flags simply compares strings and doesn’t try to interpret the rules. This might change in the future.
Parameters
Parameter |
Comments |
---|---|
Whether Hetzner services have access. Choices:
|
|
The password for the Robot webservice user. |
|
The username for the Robot webservice user. |
|
Switch port of firewall. Choices:
|
|
Firewall rules. |
|
Input firewall rules. |
|
Action if rule matches. Choices:
|
|
Destination IP address or subnet address. CIDR notation. |
|
Destination port or port range. |
|
Internet protocol version. Note that currently, only IPv4 is supported by Hetzner. Choices:
|
|
Name of the firewall rule. |
|
Protocol above IP layer |
|
Source IP address or subnet address. CIDR notation. |
|
Source port or port range. |
|
TCP flags or logical combination of flags. Flags supported by Hetzner are They can be combined with See the documentation for more information. |
|
The server’s main IP address. |
|
Status of the firewall. Firewall is active if state is Choices:
|
|
Timeout (in seconds) for waiting for firewall to be configured. Default: 180 |
|
Timeout to use when configuring the firewall. Note that the API call returns before the firewall has been successfully set up. Default: 30 |
|
Delay to wait (in seconds) before checking again whether the firewall has been configured. Default: 10 |
|
Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module. The API returns status Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use community.hrobot.firewall_info to query status. Choices:
|
See Also
See also
- Firewall documentation
Hetzner’s documentation on the stateless firewall for dedicated servers
- community.hrobot.firewall_info
Retrieve information on firewall configuration.
Examples
- name: Configure firewall for server with main IP 1.2.3.4
community.hrobot.firewall:
hetzner_user: foo
hetzner_password: bar
server_ip: 1.2.3.4
state: present
allowlist_hos: yes
rules:
input:
- name: Allow everything to ports 20-23 from 4.3.2.1/24
ip_version: ipv4
src_ip: 4.3.2.1/24
dst_port: '20-23'
action: accept
- name: Allow everything to port 443
ip_version: ipv4
dst_port: '443'
action: accept
- name: Drop everything else
ip_version: ipv4
action: discard
register: result
- ansible.builtin.debug:
msg: "{{ result }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The firewall configuration. Returned: success |
|
Whether Hetzner services have access. Returned: success Sample: true |
|
Switch port of firewall.
Returned: success Sample: “main” |
|
Firewall rules. Returned: success |
|
Input firewall rules. Returned: success |
|
Action if rule matches.
Returned: success Sample: “accept” |
|
Destination IP address or subnet address. CIDR notation. Returned: success Sample: “1.2.3.4/32” |
|
Destination port or port range. Returned: success Sample: “443” |
|
Internet protocol version. Returned: success Sample: “ipv4” |
|
Name of the firewall rule. Returned: success Sample: “Allow HTTP access to server” |
|
Protocol above IP layer Returned: success Sample: “tcp” |
|
Source IP address or subnet address. CIDR notation. Returned: success |
|
Source port or port range. Returned: success |
|
TCP flags or logical combination of flags. Returned: success |
|
Server’s main IP address. Returned: success Sample: “1.2.3.4” |
|
Hetzner’s internal server number. Returned: success Sample: 12345 |
|
Status of the firewall.
Will be Returned: success Sample: “active” |
|
Whether Hetzner services have access. Old name of return value Returned: success Sample: true |
Authors
Felix Fontein (@felixfontein)